Does one size fit all? The modernization of an AML Audit into a Financial Crime Audit Jay Smith, CAMS-Audit Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. Contents 1 EXECUTIVE SUMMARY 1 2 BACKGROUND 2 3 FINANCIAL CRIME AUDIT METHODOLOGY 3 3.1 Financial Crime Audit Risk Assessment 5 3.2 Review of Training Records 7 3.3 Suspicious Activity Reporting 7 4 KNOW YOUR EMPLOYEE 8 4.1 Why should you audit your know your employee processes? 8 4.2 How can you audit this sensitive process? 9 5 WHO SHOULD CONDUCT THE AUDIT 11 5.1 Independence 11 5.2 Qualification 11 6 CONCLUSION 11 7 APPENDIX 13 7.1 Acronyms 13 7.2 Survey Results 13 7.3 Resources 17 The views expressed in this paper are solely those of the author and neither reflect the opinion of the Association of Certified Anti-Money Laundering Specialists (“ACAMS”). i Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. 1 EXECUTIVE SUMMARY Does one size fit all? Can an anti-money laundering (AML) audit mitigate an institution’s every risk of financial crime? As bribery and corruption regulations continuously expand and new regulations, such as the Foreign Account Tax Compliance Act (FATCA), emerge, the need for more comprehensive in-house risk policies has increased significantly. Corporate leaders have come to realize that other risks, such as sanctions and fraud, threaten the reputation of every institution. Therefore, even though current regulations only require an AML audit to be conducted, it is considered a management best practice to have an independent audit within the organization for other types of financial crime risks. This white paper postulates that a robust independent financial crime (FC) audit will enable the organization to detect and deter a broader set of financial crime risks, and why all organizations can easily adopt such FC audits because the steps and processes are already established for their mandatory AML audits. Although the focus of an independent FC audit is to “kill two birds with one stone,” it does not recommend consolidating the AML and FC audit into a consolidated FC program. The white paper will refer to the results of a survey that was conducted for the sole purpose of this paper. (Appendix 7.2) The survey shows that compliance professionals strongly feel that their current AML audit programs can be, and should be, expanded to include other financial crime risks. This paper will also explain how auditing the management best practice of “knowing your employee” can help to mitigate asset misappropriation risks. In 2014, asset misappropriation was identified by PricewaterhouseCoopers (PWC) as the most prevalent 1 economic crime reported by financial institutions. This white paper will also highlight the need for independent audits to be completed by qualified individuals . This is c urrently not a requirement in some offshore jurisdictions. Furthermore, s ome institutions have their AML audit s compl eted by their external financial auditor as part of their annual audit process. Although convenient, these financial auditors may not be qualified to spot the signs of the broader range of financial crimes. Overall, this white paper will conclude that eve ry organization will benefit from a FC a udit, and that in this instance, o ne size does fit all . 1 http://www.pwc.com/gx/en/economic-crime-survey/economic-crimes/index.jhtml 1 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. 2 BACKGROUND Independent auditing of an anti-money laundering/counter-terrorist financing (AML/CTF) 2 program is a regulatory requirement highlighted in Section 352 of the USA PATRIOT Act and is carried out by organiz ations to check the effectiveness of their AML/CTF controls and systems. In general , independent auditing refers to the scrutiny of an organization’s AML/CTF program by an objective person or department that is unrelated to the AML/CTF functions within the organization, or by an independent third party. A thorough AML/CTF audit will help the organization understand if their program is up-to-date with the legislation, and highlight any loopholes in the controls and systems, so that corrective measures can be implemented. Section 352 of the USA PATRIOT Act and the Financial Action Task Force (FATF) Recommendation 18 requires an AML/CTF program to include the following; 1. Development of internal policies, procedures and controls 2. Designation of a compliance manager 3. Ongoing training for employees 1,3 4. An independent audit function to test the system The points mentioned above are just an indication of the minimum requirements of an AML/CTF program as required by law, but should not act as the exhaustive framework. As highlighted by FATF Recommendations in 2012, AML/CTF programs should be planned with a risk-based approach. Therefore, in addition to the requirements mandated by legislation, AML/CTF best practice would mandate incorporating the following aspects: AML/CFT risk assessment in the areas of products, customer types, geographic business locations, and other relevant aspects: 1. Enterprise-wide approach 2. AML and OFAC monitoring system 3. Documentation 4. Reporting, constant follow-up and escalation, as well as including the review of reports such as suspicious activity reports (SARs) and currency transaction reports (CTRs) 5. Know your customer/Customer Identification Program (KYC/CIP) 6. Customer due diligence (CDD) and enhanced due diligence (EDD) 7. Information sharing as required under Section 314 2 USA Patriot Act of 2001,h ttp://www.sec.gov/about/offices/ocie/aml/paitortact2001.pdf 3 FATF Recommendations, International Standards on combating money laundering and the financgi nof terrorism & proliferation. 2 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. 8. Regulatory examinations by the designated authorities such as FINRA, SEC and 4,5 others. However, the question remains: Why are these guidelines only limited to AML/CTF but not mandatory for other financial crimes such as tax evasion, bribery and corruption, sanction and fraud? Also, should employee due diligence be conducted in the same manner as due diligence for customers? In many cases, screening of employees is neglected and could not only turn into an AML/CTF risk, but more importantly, even reputational risk depending on the nature of the business. Apart from money laundering, all institutions are acutely aware that they are exposed to the greater range of financial crime, including bribery, corruption, cyber-crime, fraud and sanctions, and have adopted different systems and programs to combat these risks. However, they are not required by law to independently audit these financial crime defences, and constantly rely on their own internal audit committees to check these programs, disregarding the importance of impartial, objective assessments of these pervasive financial and reputational risks. 3 FINANCIAL CRIME AUDIT METHODOLOGY AML policy and procedures have gotten better in determining what processes and controls are needed to mitigate AML risks. As these regulatory requirements expand, the risks and mandatory controls have evolved with them to enhance protection against AML risks. A FC audit methodology will expand on a typical AML audit methodology to include testing controls that mitigate the other financial crime risks. The objectives of a FC audit should include: • The effectiveness of the institution’s overall compliance function in timely identification, analysis, monitoring and reporting of the principal FC risks, which the institution is exposed to, and the responsiveness of these compliance functions to changing risk dynamics • The appropriateness and successful implementation of management decisions, and their adherence to director’s directives • Policies and procedures of the institution are up-to-date and effectively implemented • Compliance with regulatory and procedural requirements, and the approved policies of the institution. 4 Goldzung, Laura H, Managing AML audit expectationsh, ttp://www.amlauditservices.com/Articles/Goldzung_PCRM_Nov%202013.pdf 5 The role of an effective independent review of your institution’s a-n mtioney laundering (AML) program by Pricewaterhouse Coopers, https://www.pwc.com/en_US/us/financia-slervices/regulatory-services/assets/pwc_aml_role.pdf 3 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. Do these objectives sound remarkably familiar? They should, as there are very similar to the objectives of a typical AML audit. The only difference is its focus on the broader scope of FC risks. Hence, initiating a FC audit can be easily accomplished as many of the planning, executing, reporting and monitoring processes are already established for the AML audit. In the survey, 60 percent of participants felt that having an independent FC audit is beneficial to reducing FC risks. One respondent went as far to say, “Who would answer no!” Full results of the survey are available in Appendix 7.3. Of the 23 percent of respondents who said that their organization did not have any independent and regular reviews of their other FC programs, the reason was consistent: cost. While this paper makes no attempt to adopt an apathetic attitude towards the obvious cost of FC auditing, we emphasize that companies need to have very clear expectations of the cost of regulatory compliance and recognize the necessity of staying ahead of financial criminals. The recent spate of high profile regulatory action against institutions such as HSBC, JPMorgan Chase Bank, N.A., TD Bank and N.A. cements the fact that no one is immune to financial crime, nor the 6 penalties of non-compliance. Although funding the more expensive fina ncial crime audit could increase the cost of compliance, there are several ways to mitigate the cost apart from pass ing the costs on to the customer , or allowing it to eat into the bottom line. Possible source s of funding include savings achieved from an i nstitutional - wide implementation of :  Adoption of cloud-based systems to reduce document retention costs 6 www.bankersonline.com/security/bsapenaltylist.htm. l 4 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit.  Streamlining of processes into electronic platforms  Reduction of travel and training expenditure by using teleconferences, webinars, and/or online modules. Implementing a robust FC audit should not be evaluated purely on the basis of cost. As important a consideration as that may be, it must be evaluated based on what is reasonably and morally expected of a quality financial institution. Once these companies successfully implement an effective FC audit strategy, the benefits of greater customer confidence and the derived savings from preventing a financial crime will appreciably outweigh the cost and effort of preventive action. 3.1 Financial Crime Audit Risk Assessment Initiating the FC audit is arguably the most challenging phase that the company will face. Where do you start and what should be your focus? Which FC risk should get the most attention? A FC audit risk assessment (FCARA) should be conducted to identify which areas of the operation are most vulnerable to financial crime. The first place to start would be the current AML risk assessment, as most organizations tend to integrate the audits of other FC risks into their AML risk assessment in some form or another. In our survey, 73 percent of respondents confirmed that their AML risk assessment already includes some form of oversight on other financial crime risks. The risk elements that are already identified in the current AML risk assessment are the ones that are most relevant, and/or prevalent in your industry or business. In addition to the vulnerabilities that are listed in the AML risk assessment, it is important to run through and evaluate other potential FC risks that do not appear to affect the organization at the moment. Vulnerabilities such as asset misappropriation, fraud, bribery, corruption, cyber-crime, data theft and insider dealing are just some of the major threats to all businesses, and usually take place under the radar unbeknownst to the business owner. Having an audit that ensures that the tell-tale signs are identified and reported could help rein in a financial or reputational disaster before it happens. The steps to plan and operationalize your FCARA should be:  Identify what your annual regulatory requirements are (i.e., AML/FATCA) 5 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit.  Confirm weaknesses, control deficiencies and opportunities that have been identified in the AML risk assessment  Identify other possible vulnerabilities that are un-related to AML/CTF (i.e., fraud, bribery, corruption)  Identify AML risk assessment processes and activities where the FC audit can integrate and align with to “kill two birds with one stone.” Once your FCARA is completed, your FC Audit should take the following shape: 1 2 3 4 DOCUMENTATION INTERVIEWS TESTING ** FC AUDIT REVIEW OPINION Risk Assessment and Targeted Interviews Test a series of The results of a FC Financial Crime Program with Key Personnel selected processes and Audit can be procedures to ensure communicated in a 2 Documentation, policies Interview key people in that what is expected phased approach: and procedures that relate the organization that set, to happen actually to: monitor, implement and does happen. Areas of 1. Exception  AML policies and deliver the risk focus: reporting to the procedures assessments and  Client onboarding key people in the  FATCA policies and financial crime processes organization that procedures programs. This may  U.S. client set, monitor, include senior identification  Bribery and corruption management through to  Transaction implement and policies and front office staff if monitoring deliver the risk procedures necessary.  SARs assessments and  Know your employee  KYE processes FC programs. “KYE” policies and (refer to section 4) procedures  All FC Training 2. Final report to  Other risks identified senior in the FCARA management and board. ** Testing will be risk-based and weighted towards regulatory requirements and controls identified during the FCARA as being HIGH risk. This approach is methodical and robust, and adopt s an enterprise wide oversight with particular focus on areas where FC risks are highest. This methodology undertake s a “point in time” audit to assess the organization’s compliance with AML, FATCA and the competence of the internal systems to protect against other financial and reputational risks. It will also complete work to assess the controls surrounding 6 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. data protection procedures and information technology (IT) security contracts/programs. (NOTE: This will not include a detailed audit of the integrity of the IT programs as it is suggested that this should be completed by a content expert in IT.) The schedule for certain FC tests can be completed on a periodic basis depending on where the risk is highest. Obviously AML requirements will still have to be included annually. 3.2 Review of Training Records Ensuring that employees are trained to understand and identify what constitutes a FC risk is critical to an institution’s protection against these malicious activities. Training employees on the risks of money laundering is a regulatory requirement, but educating them on other FC risks is not, despite these risks being just as important, and possibly a greater reputational risk, to the institution. In the survey, more than half of respondents noted that their compliance training only included AML, FATCA, fraud, bribery and corruption-related topics. FC audits should broaden the focus of the audit to include the review of other financial crime training material. Areas of focus for the FC audit should be:  Are FATCA requirements included in the training? o Can employees identify U.S. client activities o Do employees understand reporting requirements  Are employees educated on bribery and corruption?  Assess the effectiveness of fraud training.  Are employees reminded about data protection and other IT security threats? Just like the assessment of AML training, each area of focus should be concentrated on completeness, frequency and effectiveness of the FC training. It is critical that employees understand why they are completing these courses. Completing a FC audit and identifying gaps in this process will mitigate an institution’s risk against financial crime. 3.3 Suspicious Activity Reporting SARs or Suspicious Transaction Reports (STRs) are mandatory regulatory requirements in most reputable jurisdictions. Maintaining a clearly defined channel for personnel to raise any concerns in relation to suspicious activities, without fear of reprisals, is critical in minimizing your institution’s risks to AML and other FC activities. Eighty percent of the surveyed 7 Does one size fit all? The Modernization of an AML Audit into a Financial Crime Audit. respondents felt that their institution’s SARs policy already allows for employees to report other suspicious activities other than AML activities. According to BankersOnline.com: Most of the BSA SAR reportable conditions across the sectors are in fact fraud and not money laundering… Better risk assessment processes are leading, responsively, to better detection and reporting of both AML and non-AML 7 activity... The radar screen must be all-encompassing. When auditing an institution’s SARs process, the main objective should be to identify any potential vulnerability to money laundering and other financial crimes. It is also not unusual for an auditor to discover potential suspicious activities during the audit process. Thus, it is important that auditors should have sufficient training and expertise to recognize unusual and suspicious activities beyond AML. 4 KNOW YOUR EMPLOYEE 4.1 Why should you audit your know your employee processes? The concept of know your employee (KYE) is not new to internal audits, nor is it new to AML best practices. However, incorporating KYE into a FC audit highlights new control weaknesses that have never been identified before. In their 2014 Economic Survey, PWC identified asset 7 Abel, Alan S., Update: Auditing the AML Program– What’s New? , www.BankersOnline.com. 8